Apparatus and method for monitoring and interpretation of application protocols for network data transmission systems

ABSTRACT

An apparatus and a method for monitoring and interpretation of application protocols for network data transmission systems are provided, wherein the apparatus comprises: a data packets monitoring device ( 9 ); a control unit ( 15 ) receiving the data coming from the monitoring device ( 9 ) and discriminating them in control and information frames; a dating unit ( 16 ) connected to the control unit ( 15 ), for obtaining a reconstruction of a tree structure containing statistic information depending on the kind of communication for a certification of the communications and a monitoring of possible anomalies.

The present invention provides an apparatus and a method for monitoringand interpretation of application protocols for network datatransmission systems.

More particularly, the present invention allows a reconstruction of theapplication communications which occurred within the network portiontaken into consideration. Therefore, it becomes possible to reconstructa tree structure containing statistic information related for example tothe data exchanges between a plurality of users of a certain service andthe service itself. Such a tree structure containing statisticinformation allows a certification of the data and of the communicationcorrectness at various layers comprising the application one, as well asthe monitoring of possible anomalies and the construction ofdiagnostical statistics.

Data transmission from a source device to a destination device can occurin different manners. However, to assure a data exchange having thelowest possible chance of errors, it is necessary to adopt a series ofrules or control procedures. Said rules or procedures are known as“communication protocols”.

A well known communication protocol is the “Open System Interconnection”(OSI) of the International Standards Organization (ISO). Said protocolis divided into seven layers, shown in FIG. 1. Layer 7 (application) onthe source side contains information related to the sole message (M) tobe sent to the destination side. The successive layers on the sourceside add control information to the message:. layer 6 (presentation)divides the data of the original message into blocks (M1 and M2); layer5 (session) adds a title (S) to indicate the sender, the receiver andsome information related to the sequence; layer 4 (transport) addsinformation (T) related to the logic connection between the sender andthe receiver; layer 3 (network) adds information related to the path (N)and divides the message into packets representing the standardcommunication unit in a network; layer 2 (data link) adds a titleportion (B) and a tail portion (E) to the message to assure the correctorder of the various packets and to correct transmission errors; thesingle message bits and control information bits added by the variouslayers are transmitted on the physical medium through layer 1. Thedownward pointing arrow F1 on the sender side indicates the manneraccording to which the outgoing message is constructed. Every additionto the message is verified and removed from the corresponding layer onthe destination side. The upward pointing arrow F2 on the destinationside indicates the manner according to which the incoming message isreconstructed.

The OSI model schematically described up to this point is just aconceptual model. A typical protocol normally adopted is for example theTCP/IP (Transmission Control Protocol/Internet Protocol). Said protocol,just like other communication protocols adopted, can be explained withreference to the layers structure of the OSI model. In fact, in each ofsaid protocols, a certain source layer will divide the data it receivesfrom an upper layer adding to said data a header and/or a tail and willforward all this to a lower layer. On the destination side the oppositeoperations will occur.

Therefore, during the present description, reference will be made to theconceptual OSI model for ease of reference; it is to be understood thatwhat it will be described, will be easily suitable for every applicationprotocol with obvious modifications, typical of the relationexisting-between each-application protocol and the OSI standard.

Monitoring systems for data transmitted between a sender node and adestination node are already known. However, said systems can onlyanalyze the OSI layers 2 (data link) and 3 (network). The monitoring andthe successive interpretation of the data at said layers allow only themonitoring of anomalies in the exchange protocol among the variouscomponents of a network data transmission system.

In particular, documents “The Network Advisor Analysis and Real-TimeEnvironment” and “Network Advisor Protocol Analysis: Decodes” by SunilBhat, Hewlett-Packard Journal, vol. 43 no. 5, Oct. 1, 1992, pages 29-33and 34-40 respectively, are known. Such documents refer to analysis ofthe network status, between a source node and a destination node and aredirected towards error and/or malfunction monitoring at a protocol level(IP, UDP etc) used by various applications.

Therefore, a typical disadvantage of said prior art systems is theirincapability of decoding the application piece of informationtransported on the network, i.e. the piece of information related to thelayers 4 to 7 of the OSI standard.

The present invention overcomes said prior art problem. A first objectof the present invention is to allow the reconstruction of theinformation exchange between the source and the destination node as faras data and time are concerned. The time reconstruction will be allowedby a dating unit. The data reconstruction will be allowed by thecomparison with predetermined data representing possible interpretationsof the information exchange.

A second object of the present invention is to provide a safe andreliable certification tool of the application sequences on publiccommunication networks, once said sequences are reconstructed.

Another object of the present invention is to monitor and record thepossible presence of errors in the applications operating in thecommunication network wherein the data were monitored and interpreted.

A further object of the present invention is to allow a record foradministrative, accounting and safety purposes of the monitored andinterpreted data exchange.

The present invention provides an apparatus for monitoring andinterpretation of application protocols for network data transmissionsystems comprising:

a data packets monitoring device at a layer corresponding to the OSIlayer 2, said data packets comprising control frames and informationframes, wherein the control and information frames contain a headerportion and a body portion, said header portion allowing the distinctionbetween an information frame and a control frame;

a control unit receiving as an input the data coming from the monitoringdevice and comprising means for the discrimination of the control framesfrom the information frames;

a dating unit connected to the control unit and associating a monitoringtime to the control frames and to the information frames;

a discriminated data storing unit, storing the control and theinformation frames and the monitoring time thereof, bidirectionallyconnected to the control unit; and

a predetermined data storing unit, bidirectionally connected to thecontrol unit, said predetermined data representing possibleinterpretations of the information or control frames contained in thediscriminated data storing unit and being comparable, by the controlunit, with the data contained in the body portion of the information orcontrol frames stored in the discriminated data storing unit, as toallow:

an ordering, according to the time and to the kind of communication, ofthe body portions of the control and information frames; and

a reconstruction of tree structures containing statistic informationaccording to the kind of communication (multiprotocol reconstruction),for a certification of the communications and a monitoring of possibleanomalies.

Furthermore, a method for monitoring and interpretation of applicationprotocols for network data transmission systems is provided, comprisingthe following steps:

monitoring data packets at a layer corresponding to the OSI layer 2,said data packets comprising control frames and information frames,wherein the control and information frames contain a header portion anda body portion, said header portion allowing the distinction between aninformation frame and a control frame;

discriminating the control frames from the information frames;

associating a monitoring time to the control frames and informationframes;

storing the discriminated control frames and information frames togetherwith their monitoring time; and

storing predetermined data representing possible interpretations ofinformation or control frames, said predetermined data being comparablewith the data contained in the body portion of the stored discriminatedinformation or control frames;

ordering the body portions of the control or information framesaccording to the time and to the kind of communication; and

reconstructing tree structures containing statistic informationaccording to the kind of communication (multiprotocol reconstruction),for a certification of communications and a monitoring of possibleanomalies.

Additional features of the present invention are provided in thedependent claims.

Therefore, the apparatus and the method according to the presentinvention can analyze every layer of the ISO/OSI standard up to theapplication one as well as similar layers for other standards. In thismanner, the reconstruction of the information exchanges occurred in acertain time interval between applications operating in remoteprocessors is made possible.

The apparatus and the method according to the present invention operatein a “transparent” manner, as data transmission between source anddestination is not influenced by the monitoring and the successiveinterpretation of the same data.

The apparatus and the method according to the present invention can alsooperate on wireless telecommunication networks.

The present invention will be illustrated herebelow by referring to apreferred embodiment thereof, explained by way of a non-limitingexample.

The annexed drawings will be referred to, wherein:

FIG. 1, as set forth above, shows a schematic diagram of the OSIstandard;

FIG. 2 shows a schematic view of the kind of data used on communicationnetworks;

FIG. 3 shows a block diagram of the apparatus according to the presentinvention;

FIG. 4 shows a flow chart explaining the operation of the apparatus andmethod according to the present invention;

FIGS. 5 and 6 show additional flow charts for the understanding of whatdescribed with reference to FIG. 4; and

FIGS. 7A and 7B show an example of a tree structure containing statisticinformation obtained by means of the apparatus and method according tothe present invention.

With reference to the OSI standard, the communication unit in a networkis the packet. Packets are in turn divided into frames. The beginningand the end of each frame are usually determined by delimitationcharacters. The frames are in turn divided into information and controlframes. The information frames transport the data relative to themessage that is to be transmitted throughout the network, while thecontrol frames deal with the regulating modes of said transport, i.e.the flow control and the starting of the error recovery actions. Boththe information and the control frames contain a header portionidentifying the frame type, and a body portion which is typical of theframe itself.

The information frame structure will be described with reference to FIG.2. Tn the upper portion of said figure, the generic structure of a OSIlayer 2 packet is schematically described, thus comprising bothinformation frames 1 and control frames 2. A single information frame(OSI layer 3) is constituted by a header portion 3, containing theidentification that the frame is an information frame, and by a bodyportion 4. The body portion (OSI layers 4 to 7) contains the realmessage 5, together with a plurality of fields 6, typical of theparticular application syntax used, illustrated by way of example in thefigure with the characters C1, C2 and C3. The application syntax is theinformation relative to the number of fields contained within theplurality 6, to the meaning of each of said fields and to the datacontained therein.

Reference will be now made to FIG. 3. A source node 7 and a destinationnode 8 are shown, terminals of the network portion in which the data aremonitored and interpreted. Throughout the connection between said twonodes, schematically illustrated by arrows F3, F4, F5, F6 and by thetransmission medium 23, data relative to plural communications between afirst set of source processors (not shown in the figure) upstream of thesource node 7 and a second set of destination processors (not shown inthe figure) downstream of the destination node 8 travel bidirectionally.

The present invention provides monitoring of said data by means of adata monitoring device 9. Several are the monitoring devices known onthe market, for example the S508 card produced by the Canadian companySangoma. Such card can operate with different OSI layer 1 (physicallayer) standards such as, for example, the RS232 (or V.24) standard andthe RS422 (or V.35) standard. The OSI layer 2 and 3 standards togetherwith said card can operate are, for example, the HDLC standard and theX.25 standard. Anyway, the kinds of data monitoring device 9 to bechosen for the purposes of the present invention can vary depending onwhich OSI layers 1 or 2 standards one needs to operate. In fact, it willbe possible to use monitoring devices working with implementationstandards different from the OSI layer 2, such as for example “FrameRelay” or SDLC or also BSC and the like. Said devices are well known tothe person skilled in the art and they will not be here described indetail.

The monitoring occurs “transparently” by means of two parallelconnectors 10 and 11, schematically illustrated in the figure, allowingthe monitoring of the data coming respectively from the source node 7,and from the destination node 8 without influencing their transmissionfrom the source node to the destination node and viceversa. Themonitoring device 9, shown by the dashed block in the figure, includes asource data receiver 12, a destination data receiver 13 and a connectioninterface 14. The source data receiver 12 allows reception of the datacoming from the source node 7 only, as it is schematically indicatedwith the arrow F7; on the other hand, the destination data receiver 13allows the reception of the data coming from the destination node 8only, as schematically indicated with the arrow F8. At OSI layer 2, datacoming from the source node contain a code identifying the source, whiledata coming from the destination node contain a code identifying thedestination. The source data receiver 12 and the destination datareceiver 13 can therefore easily identify the two different types ofdata. The data received in this manner are transmitted to the connectioninterface 14, as it is indicated by arrows F9 and F1O.

Each data packet situated at a layer corresponding to the OSI layer 2read by the monitoring unit 9 is forwarded to a control unit 15, asindicated by arrow F11. The operation of the control unit 15 will bedescribed in detail later. To each of said packets a reading time isassociated by means of a dating unit 16, represented outside the controlunit 15 for ease of description and therewith connected as indicated byarrow F12. Such dating unit 16 can be any device commonly available, inparticular a radio or a satellite one. In a preferred embodiment of thepresent invention, a radio controlled digital clock adjusted on the CET(Central European Time) broadcast by a geostationary satellite was used.

Further to the association of the reading time by means of the datingunit 16, the control unit 15 discriminates the information frames fromthe control frames. For example, if transmission of the informationoccurs in the HDLC language, the last bit of the header portion of theinformation frame is 0 whereas the last bit of the header portion of acontrol frame is 1. Therefore, inside the control unit 15 there aremeans, not described in the figure, discriminating said last bit, e.g. afirmware contained in a ROM. In any case, no matter which datatransmission code is used, it will always be possible to provide meansfor said discrimination discriminating a control frame from aninformation frame. Such discrimination thus allows the storage of thesingle information frame deprived of the header portion and comprisingthe body portion only, thus containing the information which is typicalof the particular application syntax used, together with the message tobe transmitted.

The data incorporating the monitoring time and divided into informationframes and control frames are stored inside a discriminated data storingunit 17, bidirectionally connected to the control unit 15 as indicatedby arrow F13. There is also a predetermined data storing unit 18,bidirectionally connected to the control unit 15. Said predetermineddata represent possible interpretations of the information or controlframes contained in the discriminated data storing unit 17. Their usewill be explained herebelow with reference to the following figures. Theconnection between the predetermined data storing unit 18 and thecontrol unit 15 is indicated by arrow F14.

Reference will be now made to FIG. 4, showing a flow chart indicatingthe operations executed by the control unit 15 on the information framesstored in the discriminated data storing unit 17. It is to be understoodthat the access to such information frames can be selectively regulatedby authorizations and privileges management systems such as passwords,encryption and decryption codes, badge readers and the like given toqualified users.

A first step S1 indicates the reading of the various packets by themonitoring unit 3. A second step S2 indicates the previously describeddiscrimination operated by the control unit 15 between the informationframes and the control frames, together with the association of themonitoring time.

On the non-application low layer control frames, a statistic processingmight also be provided operated in the step S3. Said processing is notdescribed in detail at the moment; the modes by which it occurs willturn out to be clear at the end of the present description. The finalresult of such processing will provide a list of the control frames,reporting also the number of occurrences for each of said frames.

As for the information frames, the flow proceeds to a step S4 whereinthe single information frames are reconstructed according to the theirspecific application syntax. To the purposes of said reconstruction, theapplication syntax structures of the single information frames must beknown. In fact, they are contained inside the predetermined data storingunit 18 described with reference to the previous FIG. 3. Said unit 18contains, for example in a text file, a formal abstract description forpossible interpretations of the information or control frames. Said datarepresent the modes according to which the body portion of a singleinformation frame can be structured, for example the machinetransmission code (i.e. related to an information frame forwarded by thesource or the destination), the number of the channel (i.e. related to aspecific processor upstream of the source node or to a specificprocessor downstream of the destination node), protocol numbers, dataprocessing numbers etc. Said unit 18 can of course contain the syntax ofseveral application protocols of the information frames that are to bereconstructed in that moment.

A reconstruction of the information frames one by one is obtained by asequential comparison of the body portion of each information frame witheach one of the abstract models in the unit 18.

Further to this, the different application sequences occurred between adetermined source processor and a determined destination processor canbe reconstructed, i.e. ordered according to time and kind ofcommunication. Throughout the present description, for applicationsequence will be intended the whole of the information frames exchangedbetween a determined source processor and a determined destinationprocessor during a single communication. The application sequenceordered in step S5 will contain the single information frames orderedaccording to a time criterion only and not also to a logic one. Orderingby time will be possible through the time association occurred in theprevious step S2. To give also a logical ordering of the data inside aspecific application sequence, the presence of a group of applicationrules directing the data exchange between source and destination can beuseful, although not necessary. Said application rules, typical of theparticular kind of conversation between a determined source processorand a determined destination processor, must be predetermined and assuch, they as well are collected in the predetermined data storing unit18. Said application rules are a series of possible interpretations ofthe information frames sequences contained in the discriminated datastoring unit 17.

An example of such application rules is given by Table 1 herebelow,wherein reference is made to a communication between a sourcerepresenting a student (client) wanting to enroll to university viaterminal, and a destination (server) representing the university wherethe student wants to enroll.

TABLE 1 1: AS ? FDB 15 AS ? FDB 5 AS ? FDB 0 The enrollment booking wasregularly acquired 2: AS ? FDB 13 AS ? FDB 0 The client position is notregular ......... ......... .........

Every line of said table is an application rule, indicating i.e. apossible data exchange application sequence between source anddestination. The meaning of each application sequence is illustratedherebelow. For example, the first line indicates the following sequenceof information frames:

the source (AS) interrogates (?) the destination;

the destination (FDB) answers with the activity number 15;

the source (AS) interrogates again (?) the destination;

the destination (FDB) answers with the activity number 5;

the source (AS) interrogates (?) the destination; and

the destination (FDB) answers with the activity number 0.

The result obtained at the end of this conversation is that the bookingfor the university enrollment is regularly acquired. The structure ofTable 1 is a mere example and it could also be illustrated with a treestructure having a number of branches depending on the number ofapplication sequences provided. Every path down to one of the treeleaves would illustrate a particular application sequence, i.e. aparticular conversation between source and destination, i.e. aparticular information frame sequence between source and destination.

The number of application rules can be anyone. The larger the number ofapplication rules provided, the bigger the chance to associate each ofthe application sequences temporally reconstructed in the step S5 with awell defined logic meaning found by comparison with a particularapplication rule contained in the storing unit 18 in FIG. 3. Therefore,in this manner it will be possible to verify the correctness or theanomaly of the particular application sequence that is being compared inthat moment.

In the step S6 in FIG. 4, the control unit 15 verifies first of allwhether such application rules are available or not. Supposing that saidapplication rules are known, the flow can proceed either toward a stepS8 or toward a step S9, depending on what was chosen in the step S7. Thestep S8 allows a simple classification of the application sequences. Infact, each application sequence is classified as belonging to aparticular path among the various possible paths inside the applicationrules tree. The step S8 will be explained in greater detail withreference to the following FIG. 5.

On the other hand, in the step S9 the logical path of all theapplication sequences monitored by the apparatus in a predetermined timeinterval is reconstructed. Said step S9 will be described in greaterdetail with reference to the following FIG. 6.

The apparatus according to the present invention allows a reconstructionof the logical path of the application sequences also if a series ofapplication rules is not provided. In this event, the flow proceedstoward a step S10, that will also be described later.

Reference will be now made to FIG. 5, which provides a more detailedexplanation of what previously described with reference to the step S8in FIG. 4.

In a first step S11 the single application sequence, object of thecomparison, is selected. In a successive step S12, the elements whichare characterizing for comparison purposes are selected inside theselected application sequence. In the example of the enrollment touniversity previously described in table 1, said characterizing elementsmight be: the identification number of the source processor, theidentification number of the user who required the enrollment operation,the data provided by the source and the data provided by thedestination. In the step S13 the characterizing elements of theconsidered application sequence are compared with one of the applicationrules of the above described table 1, searching for a possiblecorrespondence. If such a correspondence is found, the flow proceedstoward a step S14 wherein said correspondence is reported and will haveto be taken into consideration in the results of the interpretation.Then the flow selects another sequence and executes again the step S11.If the correspondence at the step 13 is not found, the control unit 15goes in step S15 to a subsequent rule and if (step S16) there are stillrules allowing a comparison, the control unit executes once again thecomparison of step S13. If no further rules are found, the control unitreports an anomaly in the step S17. Such an anomaly might alternativelymean:

either a kind of sequence which should have not been occurred (a realanomaly); or

a kind of sequence not inserted by mistake inside the application rulestree.

In each of said events, finding such an anomaly is certainly useful forthe certification of the kinds of application sequences occurred in thenetwork portion under examination.

Reference will be now made to the following FIG. 6 which gives a moredetailed explanation of what described in the step S9 in FIG. 4.

The steps S18 and S19 select respectively the single applicationsequence and the characterizing elements of the same, similarly to whatdescribed with reference to the previous FIG. 5. The step S20 is toindicate the comparison between the application sequence and the presetapplication rules contained inside the predetermined data storing unit18. If a correspondence is found, the flow proceeds toward a step S21wherein the correspondence found is taken into consideration through theupdate of the related statistic fields. Steps S18-S20 will besubsequently repeated until the end of the sequences to be classified.If no correspondence is found, the application sequence to be classifiedis new; it can be an anomaly or simply an unexpected sequence. In thisevent, the flow proceeds toward a step S22 wherein the statistic fieldsrelated to that specific sequence are initialized. Furthermore, the newsequence will be inserted in the list of the preset sequences that areto be used for the comparison in the step S20. This is also indicated bythe double pointing of the arrow F14 in the previous FIG. 3. Saidparticular sequences, i.e. the possible anomalies, can be evidenced in aparticular manner to be recognized as such. Further to this, also inthis case the steps S18-S20 are repeated until the end of the sequencesto be classified. In particular, besides the number of crossings foreach tree branch, it is also possible to monitor uncrossed branches.

In case there is no preset sequence of application rules, it will alwaysbe possible for the control unit to reconstruct the communicationapplications occurred in the network portion under control (step S10 inFIG. 4). In this event, each analyzed application sequence will not becompared with the preset sequences, but with the previously analyzedsequences, acting as predetermined data to be compared with thesequences to be further analyzed. Therefore, the tree structurecontaining statistic information will be reconstructed by reciprocalcomparison of each body portion of the information frames with theothers. Also in this case, a tree will be constructed and it will bepossible to know the number of crossings for each branch. Obviously, inthis case it will not be possible to monitor the uncrossed branches asthere will not be a prior knowledge of the existence of said branches.

Finally, reference will be made to FIGS. 7A and 7B showing respectivelyan example of an information frame structure and an example of a treestructure containing statistic information obtained by means of theapparatus according to the present invention.

In FIG. 7A it is possible to notice four different fields: a first field19 indicating the name of the source or destination processor; a secondfield 20 indicating the number of connections in the monitored timeinterval, a third field 21 indicating the average time length of eachconnection, counted for example in milliseconds, and a fourth field 22indicating the code of the activity executed.

FIG. 7B indicates the reconstructed tree. A first element E1 in the treeindicates that AS (source) connected 20 times, with an averageconnection time of 0 milliseconds (simple opening of the connection withthe destination) and executed the activity with the code 0. A secondelement E2, E1's only “son”, indicates that in all those 20 connectionsFDB (destination) answered with the activity having the code 20, with anaverage connection time of 737 milliseconds. There were two manners ofproceeding. AS answered 18 times (element E3) with the activity 0 andtwice (element E4) with the activity 1. The tree proceeds with otherelements whose meaning is now clarified by the context. The treeherewith disclosed is the result of the logical ordering operated in thesteps S9 or S10 in FIG. 4.

It is to be noted that the monitoring of the contents in the fields 19and 22 of each element was operated in the step S4 in FIG. 4. Themonitoring of the connections among the various elements, i.e. the factthat the element E2 is E1's “son” and that the elements E3 and E4 areE2's “sons”, was operated either in the step S9 or in the step S10 inFIG. 4.

The present invention has been up to now described with reference tosome of its forms of preferred embodiment, given as non-limitingexamples. For example, it is to be understood that it is possible toprovide an application according to the present invention having severalapparatuses provided along different portions of the line.

Furthermore, it is to be understood that there are other possibleembodiments and kind of services falling within the protective scope ofthe present application.

What is claimed is:
 1. An apparatus for monitoring and interpretation ofapplication protocols for network data transmission systems comprising:a data packets monitoring device (9) at a layer corresponding to the OSIlayer 2, said data packets comprising control frames and informationframes, wherein the control and information frames contain a headerportion and a body portion, said header portion allowing the distinctionbetween an information frame and a control frame; a control unit (15)receiving as an input the data coming from the monitoring device (9) andcomprising means for the discrimination of the control frames from theinformation frames; a dating unit (16) connected to the control unit(15) and associating a monitoring time to the control frames and to theinformation frames; and a discriminated data storing unit (17), storingthe control and the information frames and the monitoring time thereof,bidirectionally connected to the control unit (15), characterised inthat it further comprises: a) a predetermined data storing unit (18),bidirectionally connected to the control unit (15), said predetermineddata representing possible interpretations of the information framescontained in the discriminated data storing unit (17); b) means forcomparing, by the control unit (15), said predetermined data stored inthe storing unit (18) with the data contained in the body portion of theinformation frames stored in the discriminated data storing unit (17),thus reconstructing the information frames according to their specificapplication syntax; c) means for ordering, according to the time andkind of communication, the information frames reconstructed according totheir specific application syntax, thus reconstructing applicationsequences occurred between a determined source processor and adetermined destination processor; and d) means for ordering saidinformation frames ordered according to the time and kind ofcommunication also according to a logical criterion, thus reconstructingthe logical path of said application sequences occurred between adetermined source processor and a determined destination processor. 2.The apparatus according to claim 1, characterized in that said means forordering said information frames according to a logical criterioncomprise means for reciprocally comparing the body portion of theinformation frames.
 3. The apparatus according to claim 1, characterizedin that said means for ordering said information frames according to alogical criterion comprise means for comparing each sequence of bodyportions of the information frames with a set of predeterminedsequences, said predetermined sequences representing possibleinterpretations of the information frames sequences contained in thediscriminated data storing unit (17), said predetermined sequences beingcontained in said predetermined data storing unit (18).
 4. A method formonitoring and interpretation of application protocols for network datatransmission systems comprising the steps of: monitoring data packets ata layer corresponding to the OSI layer 2, said data packets comprisingcontrol frames and information frames, wherein the control andinformation frames contain a header portion and a body portion, saidheader portion allowing the distinction between an information frame anda control frame; discriminating the control frames from the informationframes; associating a monitoring time to the control frames andinformation frames; and storing the discriminated control frames andinformation frames together with their monitoring time, characterized inthat it further comprises the steps of: a) storing predetermined datarepresenting possible interpretations of the information frames; b)comparing said predetermined data with the data contained in the bodyportion of the stored information frames, thus reconstructing theinformation frames according to their specific application syntax; c)ordering, according to the time and kind of communication, theinformation frames reconstructed according to their specific applicationsyntax, thus reconstructing application sequences occurred between adetermined source processor and a determined destination processor; andd) ordering said information frames ordered according to the time andkind of communication also according to a logical criterion byreciprocally comparing the body portion of the information frames, thusreconstructing the logical path of said application sequences occurredbetween a determined source processor and a determined destinationprocessor.